Reflets coincidentally invites itself in the Ukrainian police cars
The video surveillance cameras were not protected
Looking for cameras accessible via the Internet to follow the conflict, Reflets found itself in the cars of the Kyiv police, with sound and image in real time. The risks presented by these misconfigurations prompted us to warn the authorities. In less than four hours, the feeds were cut off.
It all starts with a work of Reflets on Ukrainian video surveillance cameras. Can we document the war through these cameras? Are they sufficiently protected? Could a possible vulnerability or a bad configuration allow a third country to collect intelligence?
A systematic collection of the cameras available in the country began on February 27, 2022. Testing all of the 55,007 pieces of equipment that can be reached via the Internet will have taken 48 hours.
Without much originality, and as in most countries, at least 5% of them are accessible using default usernames and passwords. These usernames and passwords must be changed during installation, but installers do not always worry about this. You can read our previous article on this subject here.
It is while performing these checks that we were surprised to watch a particular video stream: that of a camera located in a moving car. Kyiv's avenues, bridges, military checkpoints follow one another despite the curfew and no sooner have we realized what is happening than a second camera falls into our net. This time, the driver and the passenger are visible in the picture:
A police car. In Ukraine. In Kyiv.
The address of the third camera discovered seems to indicate that all the equipment is connected to a single network. A thorough analysis finally allows us to access more than thirty police vehicles in the city.
Views from inside the cars, views from outside, radio messages, telephone conversations, everything is freely...